Cyber Threats Testing Resilience of Energy System

October 11, 2016
Andrew George
Chairman of the Energy & Power Practice for Marsh

Workers monitor plant operations in the control room of the Ivanpah Solar Electric Generating System in the Mojave Desert in California near Primm, Nevada. Critical energy infrastructure has come under increasing cyberattacks in the last several years.

Cyber threats are a rising and continuous test of the resilience of our energy systems at a time when the sector’s capacity to withstand shocks is being strained.

The energy systems of many mature economies are running at close to capacity and may not be able to effectively respond to supply interruptions caused by a cyber attack. In addition, many emerging economies are struggling to meet rising energy demands and would be strained by any loss of energy infrastructure, according to a new report from the World Energy Council and its partners, Marsh & McLennan Companies and Swiss Re Corporate Solutions. The report highlights the importance of increasing resilience to cyber risk to current and future energy security and it is a key topic as energy leaders gather in Istanbul this week for the World Energy Congress.

While all economic sectors face rising cyber threats, the risk is high in the energy sector given its role as a critical infrastructure. The digitization and interconnectivity of the modern energy sector exacerbates the challenge and increases its exposure. Ubiquitous connections to the internet have increased vulnerability in the industrial systems that control these physical assets. This connectively means it is possible to control the flow of oil from an oilfield from 5,000 miles away or more than 6,500 feet under the ocean. With this level of digitization, cyber attacks can become real-world physical events.

Attacks on energy systems can have strong and severe economic, social and environmental impacts. The impacts of physical weather events, such as hurricanes, typhoons or floods, which disable energy systems and cause interruptions in supply, reveal how quickly economies and societies are challenged without electricity and energy. For example, one scenario predicts that an attack on parts of the U.S. power grid impacting 15 U.S. states and Washington, D.C. and leaving 93 million people without power would cost the economy at least $243 billion and up to more than $1 trillion under extreme versions of the scenario.

The concerns that a cyber attack can cross over to the physical world are not theoretical. There have already been alarming events. For example, there was a rumored state–sponsored attack and explosion on the Baku-Tbilisi-Ceyhan pipeline near the eastern Turkish city of Erzincan on Aug. 7, 2008; in 2014, Norway’s National Security Authority on Energy Sector reported that more than 50 energy companies had been hacked and another 250 may have been impacted; and an attack on the power grid in Ukraine in 2015 cut power to 80,000 customers. It is clear that attacks on the energy sector can truly hobble economies and societies. With this level of potential impacts, the energy sector remains one of the most targeted for cyber attacks, attracting politically and financially motivated hackers.

Managing and Financing Cyber Risk

Cyber risks are a rising intangible peril that threatens assets and revenues and creates rising liabilities for energy companies. In a period of unprecedented change and transition, along with significant needs for investment, the sector must look to better manage and finance cyber risks.

When managing the risk, constant increases in physical and information technology security will only partially work. Cyber risks are dynamic threats that are constantly evolving; it is a game played against an adversary in which cyber past does not predict cyber future. Cyber risk management requires an enterprise-wide approach involving all individuals in an organization and other organizations in the supply chain. Increasingly, energy companies can expect to see a greater focus by regulators and governments on cyber governance and a growing set of mandatory and voluntary measures. For example, electric utilities must abide by the mandatory North American Electric Reliability Corporation Critical Infrastructure Protection standards. Meanwhile, gas utilities have voluntary Pipeline Security Guidelines developed by the Transportation Security Administration.

In addition, energy companies should engage in broader efforts to combat the challenge. Cyber threat is a shared issue, and there is limited advantage in going it alone. Actions by governments to increase national cyber security, such as developing and sharing cybersecurity frameworks, need to be matched by the private sector. Combating the threat will require collaboration by governments and private sector, and because the vast majority of critical infrastructure in many countries is owned and operated by the private sector, it is vital that government and industry lock arms in confronting this risk. Voluntary sharing of information between governments and the energy sector, along with mechanisms that allow energy companies to effectively share insights and information on cyber attacks, are critical. A number of such mechanismsalready exist with the energy sector.

When financing the risk, cyber insurance is an important part of helping shift the risk from the energy company’s balance sheet to the insurance company and offset the potential financial losses from a cyber attack. Interest and purchases of cyber insurance overall is growing across sectors. For example, standalone cyber insurance purchases among U.S.-based Marsh clients increased 27 percent from 2014 to 2015 and among power and utility clients by 28 percent in the same period.

The increase was fueled in part by the high-profile event in Ukraine, but also by the availability of more tailored insurance solutions for exposures, including explicit coverage for operational technology such as disruptions of supervisory control and data acquisition (SCADA) systems, business income and extra expense, failure to supply energy and network security and privacy liability. While the U.S. is the largest market for cyber insurance, interest is growing globally as cyber is a key concern of the global energy industry.

The process of purchasing cyber insurance offers additional benefits to companies as it requires companies to assess their own cyber practices. The underwriting process includes an analysis of a company’s technical defenses, incident response plan, procedures for patching software, policies for limiting access to data and systems, monitoring of the vendor network, reporting on cyber risks and training of internal staff. In addition, carriers assess the applicant’s security practices.

Cyber threats are a rising concern across the global energy sector, and in response, energy companies must adopt new strategies to manage and finance resilience.

Andrew George

Chairman of the Energy & Power Practice for Marsh

Andrew George is Chairman of the Energy & Power Practice for Marsh. Based in London, he joined Marsh in 1988 and has held a variety of leadership roles. In 2012, he became global chairman of Marsh’ Energy Practice. In early 2015, this group was extended to include Marsh activities in Power as well. He is a member of Marsh’s UKA Audit Committee and is a company-appointed trustee of the MMC UK Pensions Fund.